I'm trying to create a subscription to MS Graph for MS Teams chats.
I've been reading through this documentation: https://learn.microsoft.com/en-us/graph/teams-changenotifications-teammembership
The sample POST message looks like this:
POST https://graph.microsoft.com/v1.0/subscriptions
Content-Type: application/json
{
"changeType": "created,deleted,updated",
"notificationUrl": "https://webhook.azurewebsites.net/api/resourceNotifications",
"resource": "/teams/{team-id}/members",
"includeResourceData": true,
"encryptionCertificate": "{base64encodedCertificate}",
"encryptionCertificateId": "{customId}",
"expirationDateTime": "2019-09-19T11:00:00.0000000Z",
"clientState": "{secretClientState}"
}
It's not clear to me how I would create the encryption certificate or the certificateId values
I'm currently googling / poking around in the MS graph docs but if someone could just point me to the right article, I'd appreciate it.
You need to create a certificate on Azure, and store it in a Vault.
Then when you will create the Subscription you will use:
encryptionCertificate property ( certificate that you created )
encryptionCertificateId property ( your own identifier )
Follow these instructions on the GraphAPI doc -> Develop\Use the API\Change notifications -> Notifications with resource data
Managing encryption keys that you need for Notifications
I recommend you to go thru this doc, which is more complete that the example you got.
And don't forget to validate de endpoint! describe in this doc too.
Setup a subscription with resource data
The formal description of these two fields:
Subscription Properties
I hope it helps :)
Related
I am building a Teams chat-bot that looks at the history of messages in the current chat/channel whilst in conversation with the user.
My bot has been granted all the RSC (Resource-Specific Content) Permissions it needs (see image below)
Here is the relevant parts of the manifest:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.11",
"id": "bd33f8b1-b593-433c-926e-44a27c1bd94a",
...
"permissions": [
"identity",
"messageTeamMembers"
],
...
"bots": [
{
"botId": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"scopes": [
"team",
"personal",
"groupchat"
],
"isNotificationOnly": false,
"supportsFiles": true
}
],
"validDomains": [],
"webApplicationInfo": {
"id": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"resource": "https://RscBasedStoreApp",
"applicationPermissions": [
"TeamSettings.Read.Group",
"ChannelMessage.Read.Group",
"TeamSettings.Edit.Group",
"ChannelSettings.ReadWrite.Group",
"Channel.Create.Group",
"Channel.Delete.Group",
"TeamsApp.Read.Group",
"TeamsTab.Read.Group",
"TeamsTab.Create.Group",
"TeamsTab.ReadWrite.Group",
"TeamsTab.Delete.Group",
"Member.Read.Group",
"Owner.Read.Group",
"ChatSettings.Read.Chat",
"ChatSettings.ReadWrite.Chat",
"ChatMessage.Read.Chat",
"ChatMember.Read.Chat",
"Chat.Manage.Chat",
"TeamsTab.Read.Chat",
"TeamsTab.Create.Chat",
"TeamsTab.Delete.Chat",
"TeamsTab.ReadWrite.Chat",
"TeamsAppInstallation.Read.Chat",
"OnlineMeeting.ReadBasic.Chat",
"Calls.AccessMedia.Chat",
"Calls.JoinGroupCalls.Chat",
"TeamsActivity.Send.Chat"
]
}
}
Note: the bot has permission to read messages in chats and channels. Specifically, my problem affects chats and not channels (which I can get messages from fine).
In order to do this, I get a JWT token for the bot account, accessing the Graph API like so:
GraphServiceClient<?> gsc = GraphServiceClient.builder()
.authenticationProvider(u -> mac.getToken())
.buildClient();
Next, I am using the Graph API to pull back these messages. For messages in channels I can do:
gsc.teams("some group id")
.channels("team id")
.messages()
.buildRequest(Collections.emptyList()).get()));
This works fine.
For chats, I am doing something like:
gsc.chats("29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ")
.messages()
.buildRequest().get()));
However, this time I get an error from the Graph API:
[Some information was truncated for brevity, enable debug logging for
more details] com.microsoft.graph.http.GraphServiceException: Error
code: Forbidden Error message: Invoked API requires Protected API
access in application-only context when not using Resource Specific
Consent. Visit
https://learn.microsoft.com/en-us/graph/teams-protected-apis for more
details.
GET
https://graph.microsoft.com/v1.0/chats/29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ/messages
SdkVersion : graph-java/v5.6.0
I am at a loss to explain why querying channels works fine but querying chats fails.
Any help gratefully appreciated!
This is a protected API and in order to use it you will first need to make a formal request to Microsoft Graph, asking for permissions to use the API without any user interaction
Here is the list of protected APIs. You need to fill this form to get the required permissions.
To request access to these protected APIs, complete the following
request form. We review access requests every Wednesday and deploy
approvals every Friday, except during major holiday weeks in the U.S.
Submissions during those weeks will be processed the following
non-holiday week.
The other option would be to use delegated flow.
I synchronized with Azure using AD Connect,
Extension attribute extension_ {ID} _ {attribute_name} is
This is available, but
https://graph.windows.net/myorganization/users
I can not do this.
https://graph.microsoft.com/beta/users
For MS reference, from now on, graph.microsoft.com is recommended for this use.
I would like to use Graph API.
By the way, I tried $ select = extension_ {ID} _ {attribute_name}, but
I can not get it.
Because it does not correspond in the first place
Thanks.
I am glad to inform you that the problem is now solved.
It was a problem of permission.
Add Directory.ReadWrite.All
https://graph.microsoft.com/v1.0/users/xxxxxx#sample.com?$select=id,extension_xxxxxxx_msDS_PhoneticLastName
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,extension_xxxxxxx_msDS_PhoneticLastName)/$entity",
"id": "xxxxxxxx",
"extension_xxxxxxxxx_msDS_PhoneticLastName": "furi_hoge"
}
Next to retrieving calendar views of a user's calendar (on behalf of the user), we are trying hard to also get the calendar view of rooms via the Graph API using
https://graph.microsoft.com/beta/users/room1#ourdomain.com/calendarView. It's a painful process since we've been running into many problems and are currently stuck with the following 404 response:
https://graph.microsoft.com:443/v1.0/users/room1#ourdomain.com/calendarView?startDateTime=2018-12-04T23:00:00.000Z&endDateTime=2019-02-10T22:59:59.999Z
{
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store.",
"innerError": {
"request-id": "358a003a-57a4-4f0e-91da-edc17c1fa2d8",
"date": "2018-12-12T07:38:33"
}
}
}
The email address of the room has been double checked and the resource exists, since we can create appointments with it and it is even being returned in the response when we retrieve the calendar of the user who has an appointment in that location.
App permissions and OAuth2 scopes are set to: openid email profile offline_access https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Calendars.Read.Shared https://graph.microsoft.com/User.Read
https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.Read.All, so that should not be an issue, judging by the documentation.
Does anyone know how to solve this?
I've tried all possible ways, but there is no way to get access.
This is what I've tried out the following in the Graph explorer:
https://graph.microsoft.com/v1.0/users/meetingroom1#domain.com/events -> DelegatedCalendarAccessDenied
https://graph.microsoft.com/v1.0/users/meetingroom1#domain.com/calendarView?startDateTime=2019-01-14&endDateTime=2019-01-18 -> ErrorItemNotFound
https://graph.microsoft.com/v1.0/users/meetingroom1#domain.com/calendar/calendarView?startDateTime=2019-01-14&endDateTime=2019-01-18 -> ErrorItemNotFound
All three on both the v1.0 and the beta.
It isn't an issue with rights, because for my testing I granted the Graph Explorer the Directory.ReadWrite.All scope. Resulting in the following scp claim.
The first requests seems the most promising (because of the different error), I also made myself a delegate with full control of the rooms-mailbox. That still didn't help.
A request to https://graph.microsoft.com/v1.0/users/meetingroom1#domain.com gives a result, as in a result describing the meetingroom.
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "Meeting room 1",
"givenName": null,
"jobTitle": null,
"mail": "meetingroom1#domain.com",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": "meetingroom1#domain.com",
"id": "3e0a7b7e-xxxx-xxxx-xxxx-xxxxcxxxx120"
}
After doing all these tests, I can only conclude that you cannot access the events in a rooms mailbox. This is either intended (as in only use the scheduling assistant) or a bug.
Maybe some of the Microsoft guys around here could clarify this?
FINALLY! After going through this with countless Microsoft support people, each of whom said this was not their territory and did not know where to forward the question, I got in touch with somebody from the Exchange team. He suggested the one thing that worked for us: the user on behalf of which you are retrieving the room resource calendar needs to be a delegate of that room resource!
In addition, to retrieve the list of room resources which the user can select from, we needed to use the findRooms endpoint but this only works on the beta API. The only drawback of this is that you cannot seem to filter for rooms of which the user is a delegate. So the user will get a list of rooms for which he might or might not be able to retrieve the calendar.
A final drawback of the room resource calendarView response is that the response does not contain the names of the meetings planned in the rooms. The description of each event only contains the name of the meeting organizer.
I have a problem with my Microsoft Graph webhook subscriptions to /me/events. What I want to do is to subscribe to all user calendars.
First I have created the new app in https://apps.dev.microsoft.com using my personal Microsoft account.
Then in my app I subscribe to /me/events notifications using access token:
POST https://graph.microsoft.com/beta/subscriptions
{
"changeType": "created,updated",
"notificationUrl": "https://xxxxx.ngrok.io/notification-url",
"resource": "/me/events",
"expirationDateTime": "2018-11-14T09:40:10.933Z",
"clientState": "xxxx-xxxx-xxxx-xxxx"
}
My notificationUrl receives validation request to which my app responds with 200 OK and validation token. After that the POST request returns me my subscription:
{
"#odata.context" : "https://graph.microsoft.com/beta/$metadata#subscriptions/$entity",
"id" : "2773aa4c-e983-4d15-9236-xxxxxxxx",
"resource" : "/me/events",
"applicationId" : "d551ec34-8d44-4cc6-9b88-xxxxxxxx",
"changeType" : "created,updated",
"clientState" : "xxxx-xxxx-xxxx-xxxx",
"notificationUrl" : "https://xxxxx.ngrok.io/notification-url",
"expirationDateTime" : "2018-11-14T09:40:10.933Z",
"creatorId" : "00000000000"
}
This subscription works fine but only for one, default calendar in Outlook. I don't receive any notifications if I create, update events in any other calendars that exists in my account.
What could be the problem here, am I using wrong resource name (/me/events) or this is some limitation for personal accounts in Microsoft Graph?
When you use /me/events you are going to the default Calendar for the user (per the docs). In your case, you would want to enumerate the user's calendars (GET /me/calendars) then subscribe to each one's events collection, using the resource /me/calendars/{calendar-id}/events.
I am trying to use the references message ID in email headers of a forwarded email in Office 365 to then find the original email that has that message ID.
The references ID in the forwarded email's headers would show something like what's shown below. Note I'm obtaining these headers from Microsoft Graph by adding &$select=internetMessageHeaders to my query using sender/subject to find the forwarded email.
{
"name": "References",
"value": "<CAOLK2SAEzvs=-6Rs5cTbgORNivQVK2AvMJDJT8o+ghx-XhCn7w#mail.gmail.com>"
}
However, if I take this and use it in a query like https://graph.microsoft.com/v1.0/me/messages?$filter=internetMessageId eq '<CAOLK2SAEzvs=-6Rs5cTbgORNivQVK2AvMJDJT8o+ghx-XhCn7w#mail.gmail.com>'
I do not receive any results.
If I hunt down the original email in Microsoft Graph using sender and subject, I see the following for the internetMessageId field for the original email:
{
"name": "Message-ID",
"value": "<CAOLK2SC6s9Me05kYRqeuEHKK8DrQbXx34ScT0AzGOFFLMdRapg#mail.gmail.com>"
}
Does anyone have any ideas on what Office 365 or Microsoft Graph is doing to change CAOLK2SAEzvs=-6Rs5cTbgORNivQVK2AvMJDJT8o+ghx-XhCn7w into CAOLK2SC6s9Me05kYRqeuEHKK8DrQbXx34ScT0AzGOFFLMdRapg? It looks like some sort of encoding, but I haven't been able to reproduce it.
Ultimately I would like to be able to transform what I'm getting in the references ID header such that I can turn around and use that ID to find the original email using Microsoft Graph.
The id is a hashed value that, among other things, includes the path/folder that the message resides in. So if you, for example, move a message (say from Inbox to Archive) then you should expect the id to change.
For tracking a message, regardless of its location, you should use the internetMessageId ($select=internetMessageId) property instead.
I discovered the issue. In my test message-ID I have the characters = and +
These characters must be URL encoded to %3D and %2B before being used in the $filter query. When they are URL encoded, I am able to find the original email using MS Graph.
In Microsoft Graph v1.0 and beta, you can obtain "immutable ids" by sending an additional HTTP header in your API requests:
Prefer: IdType="ImmutableId"
I've put immutable in italics as this is the term Microsoft uses. Be aware of the following caveats, the ID will change if:
The user moves the item to an archive mailbox;
The user exports the item (to a PST, as an MSG file, etc.) and re-imports it into their mailbox;
The user creates a draft which they later send;
You can also convert existing ids to immutable ones by the following request:
POST https://graph.microsoft.com/beta/me/translateExchangeIds
{
"inputIds" :
[
"AQMkAGM2…"
],
"targetIdType" : "restImmutableEntryId",
"sourceIdType" : "restId"
}
Which will give you the response:
HTTP 200 OK
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.convertIdResult)",
"value": [
{
"targetId": "AAkALgAA...",
"sourceId": "AQMkAGM2..."
}
]
}